Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS client certificates and two-step config fetch for confidential clusters #1870

Open
travier opened this issue May 16, 2024 · 0 comments
Open

TLS client certificates and two-step config fetch for confidential clusters #1870

travier opened this issue May 16, 2024 · 0 comments

Comments

@travier
Copy link
Member

travier commented May 16, 2024

Feature Request

Environment

Confidential Clusters.

Desired Feature

For confidential cluster use cases, we want to deliver the full Ignition config only to nodes that passed attestation against a specific attestation server.

The design would look like the following:

  1. Get the config from the cloud metadata
  • It contains no secret values
  • It includes a new config entry that points to the attestation server (KBS?) to use for attestation
  • It includes a merge/replace config that needs mutual TLS to be fetched
  1. Ignition would call out to the attestation agent (KBS client?) to perform the attestation.
  2. The attestation client will get back a TLS client certificate.
  3. Ignition would then use this client certificate to fetch the full config and resume configuration/booting.

Other Information

N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@travier